PRV 




PATENT- OCH REGISTRERINGSVERKET 

Patentavdelningen 

Intyg 

Certificate 

Harmed intygas stt bifogade kopior overensstammer med de 

- , handlingar som ur sprung ligen ingivits till Patent- och 

registrerzngsrerket i nedannamnda ansbkan. 

This is to certify that the annexed is a true copy of 

the documents as originally filed \fith the Patent- and 0U 
Registration Office in connection with the following 



patent application. / I j y^Q n ^ 




(71) Sokande Barratech AB, Kista SS 

Applicant (3) 



(21) Patentansokningsnummer 0203248-0 f-" 
Patent application number I" 

'8 

(86) Ingivningsdatum 2002-11-05 ' 

Date of filing ^^^^ ^ 

CERTIFIED COPY OF 
PIRIORITY DOCUMENT 

Stockholm, 2003-11-11 

For Patent- och registreringsverket 
For the Patent- and Registration Office 



Sonia Andre 

Avgift 
Fee 



i 

PRIORITY DOCUMENT 

SUBMITTED OR TRANSMITTED IN 
COMPLIANCE WITH 
RULE 17.1(a) OR (b) 



PATENT- OCH 
REGISTRERINGSVERKET 

SWEDEN 



Postadress/Adress Teletbn/Phone 
Box 5055 +46 8 782 25 00 

S-102 42 STOCKHOLM Vx 08-782 25 00 



Telex 
17978 

PATOREG S 



Telefax 

+46 8 666 02 86 
08-666 02 86 



Apparatus and method for negotiating network parameters 



Technical field of the invention 

The present invention relates to an apparatus and method for negotiating network 
parameters for distribution of media between a client terminal and a server. More in 
detail the invention relates to means and methods for traversing a firewall which is 
utilising translation of network addresses. 

Background of the Invention 

Today, so-called firewalls, shields or other types of protective security arrangements 
are connected to almost every computer system and communication network. Such 
security arrangements are necessary for preventing from imdesired intrusion into the 
computer system or network. An attack from outside with the purpose of destruc- 
tion, or a computer virus that manages to pass security arrangements and reach the 
interior of a computer system may cause serious damage to it. The damage applies 
not only the internal conq)uter network or a residential computer system, but also to 
various electronic equipment related to it. As an alternative to an ordinary firewall, 
the user of a client terminal in a network may have a so-called network address 
translator, NAT, between his part of the network and the external network. The ar- 
rangement provides an additional obstacle for external users who want to obtain in- 
formation about the IP-addresses that are present behind the NAT arrangement and 
in addition to that» the arrangement provides the vis&t with a sufficient number of IP- 
addresses within his internal network. 

A firewall can do address translation to protect internally used IP-numbers from 
being seen outside of the firewall This translation changes the network IP informa- 
tion relating to port numbers assigned for the media flow and thus re-directs the me- 



dia transport. The IP information is used by servers that manage e-meetings or oflier 
media distribution services to identify client terminals. 

One solution to tiie problem of how to enable traffic to and from client terminals 
and servers with an intermediate firewall or oflier protective arrangement is to insert 
a specific media proxy server in association with the communication server- How- 
ev», this is both complicated and costly and hence» there is a need for an iiiq>roved 
solution to the problem. 

Summary of the Invention 

It is tiierefore an object of ttie present invention to alleviate the previously men- 
tioned shortcomings of prior art assodated with group communication services and 
provide a generally t^licable solution. This is accomplished by an apparatus and a 
metiiod for real-time data communication con^ttising a sending client terminal and 
at least one receiving client terminal, the client tocmmals being provided with pro- 
tective means, the real-time data communication transmitted via an intermediate 
distribution server, tiie protective means being provided with a network translation 
unit for mapping one internally accessible network destination address with a corre- 
sponding externally accessible network destination address, 
characterised in that 

the siding client termmal and Ifae intermediate distribution server are 
adapted to exchange information between one another about tiie current mapping 
destination addresses for the server to access tiie receiving client terminal with real- 
time data communication. 

By means of the present mvention, negotiation is carried out between a server and a 
client terminal to propagate the network IP information required for real-time media 
communication. Hiis is done by direct communication between the client terminal 
and server using a computer communication protocol connection for transmission of 



network information in cases when the network address translation is not required. 
The client terminal and intennediate communication server are adapted to exchange 
information about network pariameters in order to be able to identify the moping 
structure between the client's terminal view of the network parameters and the 
server view after fliat the data has passed the network address translation unit. The 
mapping information is subsequently used for identifying the client tenninal at the 
server as well as informing flie server about where to send the real-time media for it 
to reach the receivmg client 

Brief description of the drawings 

The features, objects, and furflier advantages of this mvention will become apparent 
by reading this description in conjunction with the accompanying drawings, in 
which Uke reference numerals refer to like elements and in which: 

Fig 1 illustrates a schematic overview of the means requked for transmitting a me- 
dia stream of data according to the present invention. 

Fig 2 is a schematic illustration of tiie mapping of network addresses when trans- 
mitting a media stream of data accordmg to the present mvention. 

Detailed description 

The following description is of the best mode presentiy contemplated for practising 
the invention. The description is not to be taken in a limiting sense, but is made 
merely for the purpose of describing tiie general principles of the mvention. The 
scope of the invention should be ascertained witii reference to the issued claims. 



With reference to Fig 1, a sendhoig client temiinal 10 is connected to the receiving 
client terminal 20. The cbmiection is preferably made between the sending client 



tenninal and the receiving client terminal via an intermediate communication server 
30, which is ad^ted to direct or forward communication data from any sending 
communication terminal to another receiving commmiication terminal. A protective 
means 12, 22 is arranged in in-between each of the cUent terminals and the data dis- 
tributing conqjuter network for protecting the client terminals from harmful intru- 
sion, such as computer viruses or other damaging and network distiibuted attacks to 
which the client terminal can be exposed. One kind of protective means is a soft- 
ware-based firewall arnmgemCTt or another conqputer protection means such as a 
virus shield. The sendmg and receiving cUent terminals may conqprise any electixmic 
equipment used for communication purposes, such as a personal conqmter or otiier 
type of mobile communication terminal including pahntops, mobile telephones, con- 
soles and electroruc organising tools. 

In accordance with one embodiment, which is depicted in Fig 2, tiie general function 
of a network address translate is the following: a clirait terminal A is to establish 
communication with another client terminal B. Client termmal A is protected by a 
firewall and/or a network address translator C. Client temrinal B pays attention to 
signals that are input on its port number "x". When executing the signalling, client 
terminal A is about to ti:ansmit a signal from port number "y" to client B's port 
number "x". However, the firewall and/or network address translator airangement C 
restrains this packet and re-transmits it from a port number "z" of the protective 
means C to port number "x" of tiie client tenninal B. Now, there has been estab- 
lished a state in the firewall and/or network address translator C with a mapping of a 
port on the external side from port "z" of the protective means C to port 'y*of client 
terminal A, i.e. cUent terminal B now transmits data to port "z" and the firewall 
and/or network address translator translates this to port *y ' of client terminal A. In 
order to Tnai^tfliri flie allow return mode, client terminal A must continuously trans- 
mit mformation to cUent terminal B tiirough flie firewall and/or networic address 
translation arrangement C. 



More in detaU. and also with reference to Fig 2, the function of a certain network 
address translator arrangement in accordance with the present invention is as fol- 
lows: the first step is client terminal A and client terminal B exchanging a secret 
piece of information, a so-called key, which may be a large and randomly chosen 
number treated as secret information, Cr. This is done via a mechanism, such as en- 
crypted and Aerefore secure HTTP (HTTPS). For clarity reasons although known 
by flie skilled person, HTTP means hypertext transfer protocol and this protocol is 
the currently used standardised format for transmitting web infomaation. This secret 
information is transmitted over TCP m a secure transport mode so as to make sure 
that the information reaches its intended recipient. Next step for client terminal A is 
to initiate communication with client terminal B via port "x" of cHent terminal B. 
Client terminal A transmits data from port 'Y via the network translation arrange- 
ment C. The arrangement C forwards data to client terminal via its port "z". Data is 
now flowing from client termmal B to client terminal A by means of client terminal 
B transmitting data to port V of the network translation arrangement C which in its 
turn translates this data to port "y** of client terminal A. At Has stage of the trans- 
mission, client terminal B transmits a request to client terminal A to oicrypt an ar- 
bitrary word "whatever" by utilising its secret key Cr, which is the same as previ- 
ously mentioned, and then transmits the encrypted arbitrary word "whatevof* to cli- 
ent terminal B. Client terminal B, which is also in possession of the secret key Cr 
does the same and provided the results of the two encrypted words are equal, trans- 
mitted information in Ae form of data traffic from client terminal A via the network 
translation anangement C to client terminal B is acknowledged as bemg correct. 
That means finther data traffic can be exduinged between client terminal A and cli- 
CTt terminal B. 

By applying the above described functi(» on the apparatus of Fig 1, the more de- 
tailed description therefore yields the foUowmg interpretation of the illustration: 
Two communication client tennmals 10, 20 which are bofli situated behind network 
translation arrangenients 12, 22. Communication between the two clifflit terminals 



must be established via a tibird party, which may include any kind of communication 
means 30, such for example a communication server or a portal. The first steps for 
establishing a functional communication charaiel between the communication cUent 
temiinals 10 and 20 are carried out in parallel between the individual clients 10 and 
20 respectively, and on the other side Ihe communication means 30. As soon as the 
communication channels 10-30 and 20-30 respectively are established, cUent temii- 
nals 10 and 20 can communicate with each other by transmitting data via the com- 
munication means 30. 

The above described procedure and function has sintiilarities with the cryptologically 
known method of challenge response. Moreover, the arbitrary word ' Vhatever^' 
consists of entirely arbitrary symbols which does not necessarily have a meaning or 
is a known word. 

A protective means, such as a firewall, is often arranged in a way that it allows traf- 
fic to enter into a protected zone only on condition that corresponding traffic has 
been transmitted out of that protected zone. For a situation when the communication 
channel has not been utilised for a period of time, the state of a firewall changes 
from a data permeable open mode to a locked mode. Other kinds of features associ- 
ated with firewalls are the described network address translation. 

Over the data connection is distributed any type of media information, such as 
streaming video, IP-telephony commimication data or synchronous real-time com- 
munication data. 

In accordance with the present invention, software is developed in parallel with the 
method of transmitting and acknowledgmg a media stream of data. The software re- 
sides in a memory associated with the means for transmitting and acknowledging 
according to Fig 1 . The software is designed for instmcting the hardware to carry 



out the sequential method steps previously desoibed in Has documeot with particu- 
lar reference to Fig 2 and the method claims. 
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Claims 

1. Apparatus for real-time data ccmmnimcationcOTn^ 

nal (10) and at least one recdving cUent terminal (20), (he client terminals being 
provided with protective means (12, 22), liie real-time data communication 
transmitted via an intermediate distribution server (30), the protective means (12, 
22) being provided with a network translation unit (not shown) for mapping one 
intemaUy accessible network destination address with a corresponding extemaUy 
accessible network destination address, 
characterised in that 

the sending client terminal (10) and the interaiediate distribution server 
(30) are adapted to exchange information between one another about the current 
mapping of destmation addresses for the server to access flie receiving cUent 
terminal (20) with real-time data communication. 

2. Apparatus for real-time data communication according to claim 1, characterised 
In that 

the protective means is a firewall arrangement 

3. Apparatus for real-time data communication according to claim 1 or 2, charac- 
terised In that 

flie protective means is a virus shield anangemCTt. 

4. Apparatus for real-time data communication according to claims 1-3, charac- 
terised in that 

real-time data communication includes data fiwm streaming video, IP- 
telephony or synchronous communication. 

5. Method for real-time data communication comprising a sending client terminal 
(10) and at least one receivmg cUent terminal (20). the cUent terminals being 



provided with protective means (12, 22), the leal-time data communication 
transmitted via an intermediate distribution server (30), the protective means (12. 
22) being provided with a network translation unit (not shown) for mapping one 
internally accessible network destination address wifli a corresponding externally 
accessible network destination address, 

characterised by 

exchanging information between flie sending cUent terminal (10) and 
the intmnediate distribution server (30) about the current mappmg of destination 
addresses for the server to access the receiving cKent tenninal (20) witii real- 
time data communication. 

6. Mefliod for real-time data communication according to claim 5, fiirflier charac- 
terised by 

exchanging a secret piece of information, such as a so-called key, be- 
tween the sending and receiving client terminals, 

the receiving cUent terminal transmitting requesting die sending client 
terminal to encrypt an arbitrary sequence by using the secret piece of informa- 
tion, 

the sending and receiving cUent terminals encrypting the arbitrary se- 
quence by using the exchanged identical secret piece of mformation, and 

comparing the results of the communication termmals encrypted se- 
quences so as to acknowledge ftirther transmission of real-time data communi- 
cation between the client terminals. 

7. Method for real-time data communication according to clafan 6, further charac- 
terised by 

ratchanging the secret piece of information, flie so-called key, in a se- 
cure transport mode such as secure HTTP (hypertext transfer protocol) via TCP 
(transmission control protocol). 
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Computer program product for r^-*time data communication coxiq)rismg a 
sending client temunal (10) and at least one receiving cUent terminal (20), the 
client terminals being provided with protective meaos (12, 22), the real-time data 
communication transmitted via an interaiediate distribution server (30), tiie pro- 
tective means (12, 22) being provided with a netwoik translation unit (not 
shown) for mapping one internally accessible netwoik destination address with a 
corresponding externally accessible network destination address, 
characterised in that 

the con^uter program product is adapted for carrying out the method 
steps of claim 5-7. 
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Abstract 

The present invention relates to an apparatus and a me&od for real-time data com- 
munication comprising a sending client terminal (1 0) and at least one receiving cli- 
ent terminal (20), the client terminals being provided with protective means (12, 22), 
the real-time data communication transmitted via an intermediate distribution server 
(30). Moreover, the protective means (12. 22) is provided with a network translation 
unit (not shown) for mapping one internally accessible netwodc destination address 
with a corresponding extemaUy accessible network destination address. The mven- 
tion is characterised in that the sending client terminal (10) and the intermediate 
distribution server (30) are adapted to exchange information between one another 
about fee current mapping of internally and externally accessible destination ad- 
dresses for the server to reach fee receiving client terminal (20) wife real-time data 
communication. 



(Fig 1 for publication) 
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Figl 





Fig 2 
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